PHP :: Bug #40030 :: Security issue with backtick

Bug #40030	Security issue with backtick
Submitted:	2007-01-05 11:36 UTC	Modified:	2007-01-05 21:42 UTC
From:	admin at digibase dot ca	Assigned:
Status:	Not a bug	Package:	Scripting Engine problem
PHP Version:	5.2.1RC2	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-01-05 11:36 UTC] admin at digibase dot ca

Description:
------------
Whenever I attempt to escape any code, backticks still 
execute without a problem - whenever I execute it from the 
CLI (Where I want it to execute from), it accepts 
injection no matter WHAT I do

It seems as if there's only one way to disable this, which 
is enable safe mode, however, that presents problems, it 
disables functions I want enabled and causes problems on 
the webserver attached.

Reproduce code:
---------------
$text = escapeshellarg(escapeshellcmd(strtolower($text)));

Expected result:
----------------
Filter out and prevent injection of arbitary code while 
sending the clean text on for processing in an 
if/elseif/else tree

Actual result:
--------------
When run like

php ./script status && `rm`

rm actually decides to run. not under privledges but it 
can cause damage

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-01-05 11:38 UTC] admin at digibase dot ca

I was unclear on the situation - This is code being 
executed from IRC via the CLI, when someone per-se 
says "status `rm`" it actually tries doing that specific 
code.

[2007-01-05 15:25 UTC] iliaa@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

passing `rm` to escapeshellarg() encloses the text in single 
quotes, preventing it from being executed.

[2007-01-05 17:56 UTC] admin at digibase dot ca

Here's the code that's executed via the cli:
<?
$text = $argv[1];
$text = escapeshellarg(escapeshellcmd(strtolower($text)));
echo $text;
?>
here's the command:
php ./script.php blah `exec'd command`

[2007-01-05 17:57 UTC] admin at digibase dot ca

correction:
php ./script.php "blah `exec'd command`"

[2007-01-05 21:42 UTC] iliaa@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

The command in backtics is processed before it even reaches 
PHP. Backticks are execution elements on shell as well.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Apr 27 07:01:27 2025 UTC